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The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )03 Responsive to communication(s) filed on 21 October 2004 . 
2a)S This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) £3 Claim(s) 24-54 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) (EI Claim(s) 24-54 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) Q The specification is objected to by the Examiner. 

10) ^ The drawing(s) filed on 21 October 2004 is/are: a)D accepted or b)D objected to by the Examiner, 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

1 2) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 1 9(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 -D Certified copies of the priority documents have been received. 

2.D Certified copies of the priority documents have been received in Application No. . 



3-D Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

1 . In response to the previous office action, Applicant has amended claims 24-30, 
33, 35, 37, 38, 43, 46, and 50. Claims 24-54 have been examined. 

Drawings 

2. The drawings were received on 21 October 2004. These drawings are 
acceptable. 

Specification 

3. All previous objections to the specification are withdrawn. 

Claim Rejections - 35 USC § 101 

4. In view of Applicant's amendments, all previous rejections under 35 U.S.C. 101 
are withdrawn. 

Claim Rejections - 35 USC §112 
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5. In view of Applicant's clarifications, all previous rejections under 35 U.S.C. 112 
are withdrawn. See "Response to Arguments" below. 

Claim Rejections - 35 USC § 102 and 35 USC § 103 



The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the 
United States before the invention thereof by the applicant for patent, or on an international application 
by another who has fulfilled the requirements of paragraphs (1 ), (2), and (4) of section 371 (c) of this 
title before the invention thereof by the applicant for patent. 



The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act 
of 1999 (AIPA) and the Intellectual Property and High Technology Technical 
Amendments Act of 2002 do not apply when the reference is a U.S. patent resulting 
directly or indirectly from an international application filed before November 29, 2000. 
Therefore, the prior art date of the reference is determined under 35 U.S.C. 102(e) prior 
to the amendment by the AIPA (pre-AlPA 35 U.S.C. 102(e)). 



The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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6. Claims 24-26, 28-30, 32, 33, 35-38, 43, 45, 46, and 48-50 are rejected under 35 
U.S.C. 102(e) as anticipated by or, in the alternative, under 35 U.S.C. 103(a) as obvious 
over U.S. Patent No. 6,141,760 to Abadi et al. in view of Menezes, "Handbook of 
Applied Cryptography," 1997, p.390. 

Regarding claims 24-26, 30, 32, 33, 37, 43, 45, 46, and 50, Abadi discloses a 
method for constructing a password specific to a service (an application) by hashing the 
name of the service (input data) from the user (see column 3, lines 4-5), a master 
password (the strong password) and the user name (see abstract). The password is 
then submitted to the application (see column 3, lines 60-62). The system is designed to 
construct passwords for all services which a user uses, including client software 
applications (see column 2, lines 41-56). 

Abadi does not explicitly describe the use of a salt. 

Menezes discloses the use of a salt in password generation (see paragraph (v)), 
and further suggests that this makes dictionary attacks more complex. 

Therefore it would be obvious to one of ordinary skill in the art at the time the 
invention was made to add a salt, as disclosed by Menezes, to make dictionary attacks 
more complex. 

Alternatively, Menezes also notes that a userid is considered to be a salt (see 
last sentence); therefore, the user name used by Abadi is a salt, and the claims are 
therefore fully anticipated. 

As per claims 28, 35, and 48, a single master password is used to create multiple 
application passwords. 
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As per claim 29, the user id used as a slat is unique (see column 3, lines 34-45). 
As per claims 36 and 49, the salt value (the user id) is predetermined by the 

user. 

As per claim 38, a networked system is used (see column 2, lines 21-23). 

7. Claim 27 is rejected under 35 U.S.C. 103(a) as being unpatentable over U.S. 
Patent No. 6,141 ,760 to Abadi et al. in view of Menezes, "Handbook of Applied 
Cryptography," 1997, p. 390 as applied to claim 25 above, and further in view of U.S. 
Patent No. 5,719,941 to Swift et al. 

Abadi and Menezes do not disclose the use of the old password in the method. 

Swift discloses the use of the generated old password in the forming of the 
encryption/decryption key (see abstract), and further suggests that this ensures that the 
source of the new password is authorized to change the password (see column 3, lines 
26-31). 

Therefore it would be obvious to one of ordinary skill in the art at the time the 
invention was made to use the old password in the password updating algorithm, as 
disclosed by Swift, as this ensures that the source of the new password is authorized to 
change the password. 

8. Claims 31 and 44 are rejected under 35 U.S.C. 103(a) as obvious over U.S. 
Patent No. 6,141,760 to Abadi et al. in view of Menezes, "Handbook of Applied 
Cryptography," 1997, p.390 further in view of U.S. Patent No. 6,006,333 to Nielsen. 
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Abadi discloses the generation of user names for storage in a set of user names 
(203), which is then retrieved to generate the password (see column 3, lines 22-45). 

Abadi does not specifically disclose a test to see if the user name already exists. 

Nielsen discloses a system for maintain passwords for different applications 
wherein there is a check to see if a password exists, and an entry may be created if 
none exists. This is done to allow the user to register at the new site (see column 5, 
lines 40-61). 

Therefore it would be obvious to one of ordinary skill in the art to check to see if a 
password exists, and an create an entry if none exists, as disclosed by Nielsen, in order 
to allow the user to register at the new site. 

9. Claims 39 and 51 are rejected under 35 U.S.C. 103(a) as obvious over U.S. 
Patent No. 6,141,760 to Abadi et al. in view of Menezes, "Handbook of Applied 
Cryptography," 1997, p.390 further in view of U.S. Patent No. 6,064,736 to Davis et al. 

Abadi and Menezes do not disclose the algorithm to be used in the construction 
of the hash. 

Davis discloses the use of the MD5 algorithm for constructing a password hash, 
and suggests that this allows a server to transport information safely to a client (see 
column 3, lines 56-65). 

Therefore it would be obvious to one of ordinary skill in the art to modify the 
invention of Abadi and Menezes by using the MD5 algorithm for constructing the 
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password hash, as disclosed by Davis, as this allows a server to transport information 
safely to a client. 

10. Claims 40-42 and 52-54 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over U.S. Patent No. 6,141,760 to Abadi et al. in view of Menezes, 
"Handbook of Applied Cryptography," 1997, p.390 as applied to claims 30 and 43 
above, and further in view of U.S. Patent No. 6,601,175 to Arnold et al. 

Abadi in view of Menezes does not provide for a password that is only valid for a 
limited time period. 

Arnold discloses the derivation of limited-time passwords for local computer use or 
remote administration, which can be created on an as-needed basis (based on platform 
activity), and further suggests that this is done to prevent a user from re-configuring a 
computer after learning the administrative password (see column 5, lines 10-44). 

Therefore it would be obvious to one of ordinary skill in the art at the time the 
invention was made to modify the invention disclosed by Abadi and Menezes by 
supporting limited-time passwords, as disclosed by Arnold, to prevent a user from re- 
configuring a computer after learning the administrative password. 

Response to Arguments 

1 1 . Applicant's arguments, see Remarks, pp. 10-11, filed 21 October 2004, with 
respect to the rejections of claims 32-35, 39, 45-48, and 51 under 35 U.S.C. 112, 



Application/Control Number: 09/753,257 Page 8 

Art Unit: 2134 

second paragraph have been fully considered and are persuasive. For purposes of 
examination, a "strong password" shall be considered to be a password having all of the 
seven properties recited by the University of Illinois policy, as listed in Remarks, p. 11. 

12. Applicant's arguments, see Remarks, filed 21 October 2004, with respect to the 
rejections of claims under 35 U.S.C. 102 over Davis have been fully considered and are 
persuasive in view of Applicant's amendments. Therefore, the rejection has been 
withdrawn. However, upon further consideration, a new ground(s) of rejection is made 
in view of Abadi, Menezes, and Davis. 

1 3. Applicant's arguments filed 21 October 2004 with respect to the rejections of 
claims under 35 U.S.C. 102 and 35 U.S.C. 103 over Abadi and Menezes et al. have 
been fully considered but they are not persuasive. 

Regarding Applicant's arguments that the passwords generated are not 
associated with specific applications, it is noted that Abadi describes a system in which 
unique passwords are generated for all services that require a user password, 
regardless of whether they are local or remote; Abadi's disclosure therefore teaches to 
software applications. 



Conclusion 
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14. Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 

§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

1 5. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Matthew E. Heneghan, whose telephone number is 
(703) 305-7727. The examiner can normally be reached on Monday, Tuesday, . 
Thursday, or Friday from 7:30 AM - 4:30 PM Eastern Time. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse, can be reached on (703) 308-4789. 

Any response to this action should be mailed to: 

Commissioner of Patents and Trademarks 
P.O. Box 1450 
Alexandria, VA 22313-1450 
Or faxed to: 

(703) 872-9306 
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Hand-delivered responses should be brought to Crystal Park 2, 2121 Crystal 
Drive, Arlington, VA 22202, Fourth Floor (Receptionist). 

Any inquiry of a general nature or relating to the status of this application or 
proceeding should be directed to the receptionist whose telephone number is (703) 305- 
3900. 





March 2, 2005 




